Network monitoring and expense report analysis simply don’t work. The perfect side-channel attack on Shadow IT? Your inbox.
SaaS is the boon of our time, a magic wand that turns weeks of work into hours. Never have we had more purpose-built tools so readily at our fingertips to make us more productive. Need to collaborate on a whiteboard with 15 people around the world? No problem—use Miro! Need to manage a project across four time zones and multiple stakeholders? Asana to the rescue! Need to manage the books for a non-profit organization? Aplos! No matter the challenge, your solution is just a few clicks away. But with this massive gain in productivity, we’ve also lost a major point of control used by security teams. Centralized teams no longer have consistent access to—or even awareness of—all the systems being used to run their critical processes.
Our traditional approach to managing corporate IT has always relied on the central control of that technology. Whether it was security assessments to evaluate the trustworthiness of the vendor, or layering on security controls such as SSO, or integrating into a centralized monitoring program, security processes have always depended on awareness and access to a system as a prerequisite to securing it. Traditional procurement processes provided an easy integration point for security interests: New projects were started, RFPs were issued, procurement was engaged, and security got involved. The problem is, this type of procurement process has been rapidly disappearing from organizations—soon it will just be a ghost story we tell Zoomers. As a result, most companies have reached a critical tipping point where they are unaware of at least half of the technology their employees are using.
When there is such a massive deficiency of knowledge about the technology in our organization, people tend to avoid the conversation. “Oh, well do I care about that?” “What is shadow IT anyway?” But without a basic understanding of what’s in use, you can’t answer the fundamental questions of security: What systems does my corporate IP live in? Where is my customers’ personally identifiable information (PII) stored? What systems are my business processes reliant upon? What is the attack surface I need to protect? As the CISO of a large payment processor once put it, “It does not matter if my customer list is stolen out of our production database or a marketing automation system someone sets up in their spare time—I still have the same brand damage and reporting obligations.’”
When thinking about discovering “Shadow IT,” people often reach for the tools of the past—network monitoring, mining expense reports, and technology policies. Essentially, forensic approaches where we take a mass of data and try to extract meaningful signals from it—days, weeks or months after we need it. The basic premise of these approaches is difficult to accept in our modern work environment. There are too many people working from too many places on too many devices to be comfortable with the idea that monitoring the network traffic is an effective control. As for expense reports, we have too many services whose pricing models are designed to work around this as a point of control—essentially priced as “free” until the organization can’t live without it. Finally, the catch-all “Well, that’s against our IT policy” is great if you’re trying to shift the blame, but it won’t prevent issues from coming up.
So, we’re faced with some immutable obstacles: We’ve got distributed teams working from multiple locations, devices, and networks. And we’ve got SaaS providers that offer free services, or paid services for teams and purposes unknown. What’s the consistent point of control that we can rely upon?
In thorny cases like these, what we need is a “side-channel attack.” A side-channel attack is the name for the observation and understanding of a system based on a seemingly inconsequential side effect. For example, reading data off of a hard drive based on the light coming from the status indicator, or determining cryptographic keys based on the sound or power consumption of a computer. While these techniques are deeply technical and not applicable for something as high-level as the registration and use of a SaaS account, we can still adopt the strategy. And there is indeed one consistent side effect of every SaaS account: email. That’s right, the one universal communication tool on the internet is reliably used by every SaaS provider to communicate with its customers.
Registering an account? Let me confirm your email address.
Resetting your password? Let me email you just to make sure.
Turning on two-factor authentication? Email confirmation!
Inviting someone to a project? Sure thing! What’s their email?
The other beautiful thing about email is that it sticks around forever. (Ever heard excerpts from a deposition?)
At Nudge Security, we figured out that with a simple integration into your corporate email account, you can access the history of all of your SaaS accounts. From account registrations to security updates or feature usage, it’s all there. This provides for two major advantages. First, your ability to detect expands to the full duration of your email storage history—instead of deploying technology and then waiting to accumulate the full scope of activity from your users over time, you can benefit from an already-archived data store, giving you immediate answers. The second is that no prior knowledge of a SaaS provider is required to detect accounts or activity. When looking at network traffic or expenses, you’re required to know the DNS name or description on the receipt to be able to detect the account. But when analyzing an email, you just need to be able to categorize the communication: Is this a password reset email? Email confirmation? Account registration? Questions that are readily solved with ML techniques.
In summary, our side-channel monitoring approach allows us to achieve full historical visibility as well as breadth of detection, without impacting employee experience or requiring the rollout of technology such as network gateways, agents, or browser plugins. Just integrate with Google Workspace or Microsoft 365 one time, sit back, and watch as a dashboard populates with your organization’s entire SaaS footprint. The cherry on top is the critically valuable information that becomes available as you analyze the emails: AWS account number? Source code repository name? OAuth integration? Captured. All of those data points are easily extracted from your email history, giving you a truly centralized inventory of the essential information that runs your organization. We think it's pretty elegant—and so does the U.S. Patent Office.
So, now you can see your company’s full (and probably shocking) SaaS footprint. But even with the discovery challenge solved, the real issue with SaaS sprawl remains. Employees adopt SaaS because they are trying to get their job done better, faster, or easier. That’s worth repeating: They are trying to get their job done. They’re not reaching for SaaS to waste time or have fun, but rather because they think it will help them and the company. That’s a good thing—an instinct worth encouraging.
The role of a security organization should be carefully considered within this context. Say no too often and you’ve become a barrier to getting work done. Say yes without constraint and you’ve now relinquished your ability to effectively manage risk. The balancing factor between these two extremes is engagement. When SaaS is being used, the business value gained needs to be weighed against the organizational risk. This evaluation requires an understanding of the SaaS provider, the organizational context of use, as well as the level of associated risk. This is an effort that simply can’t be taken on without input and engagement from both employees and security teams alike. This is a problem solved only through collaboration and enablement.
